Encountering redirect loop with Cloudflare Access

[jeslinmx]

Hi there!

First of all, thank you for creating this app, it's one of the simplest SSO-type flows I've ever set up and it worked flawlessly for me when authenticating with an email belonging to an existing account.

The issue I encountered was when attempting to authenticate with an email that does not already have an account, while Override Frappe Login is enabled. ERPNext attempts to send me to the profile update page for the new user, but that page then redirects to itself.

Also note that ERPNext itself is protected by Cloudflare Access, however, from the network devtools, it appears that the redirect loop is simply (update profile page -> update profile page), rather than (update profile page -> jwt_auth configured login url (which is the Cloudflare Access login page) -> last page (which is the update profile page)).

I also attempted the same experiment with Override Frappe Login disabled, but then I do not get automatic logins, even for users that already exist.

I am inclined to believe that this is just operator error, as I have not used Frappe much yet, and also my JWT Auth Settings differs from what is described in the README (I do not have a Provider selection box, so I configured Cloudflare Access manually). I am installing jwt_auth from the develop branch, so I am not sure what I am doing wrongly here, but I would very much appreciate your guidance.

Thanks!

[batonac]

Hey jeslinmx, thanks for taking this for a spin! We're using this in production without a hitch, but I understand there are a few paper cuts with the app, especially with the documentation and configuration. I'll see if we can't clean this up for you, both with the docs and settings. -- Kevin Shenk Avunu LLC

…

On Tue, Jun 17, 2025 at 3:56 AM Jeshua Lin ***@***.***> wrote: *jeslinmx* created an issue (Avunu/jwt_auth#1) <#1> Hi there! First of all, thank you for creating this app, it's one of the simplest SSO-type flows I've ever set up and it worked flawlessly for me when authenticating with an email belonging to an existing account. The issue I encountered was when attempting to authenticate with an email that does not already have an account, while Override Frappe Login is enabled. ERPNext attempts to send me to the profile update page for the new user, but that page then redirects to itself. Also note that ERPNext itself is protected by Cloudflare Access, however, from the network devtools, it appears that the redirect loop is simply (update profile page -> update profile page), rather than (update profile page -> jwt_auth configured login url (which is the Cloudflare Access login page) -> last page (which is the update profile page)). I also attempted the same experiment with Override Frappe Login disabled, but then I do not get automatic logins, even for users that already exist. I am inclined to believe that this is just operator error, as I have not used Frappe much yet, and also my JWT Auth Settings differs from what is described in the README (I do not have a Provider selection box, so I configured Cloudflare Access manually). I am installing jwt_auth from the develop branch, so I am not sure what I am doing wrongly here, but I would very much appreciate your guidance. Thanks! — Reply to this email directly, view it on GitHub <#1>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGDZPOADS2R26IU7ZUNCK33D7C4NAVCNFSM6AAAAAB7PM3CNGVHI2DSMVQWIX3LMV43ASLTON2WKOZTGE2TENBWGQ4TIOI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[jeslinmx]

Further testing reveals that this issue persists even if Frappe's login is not overridden. Also, server logs confirm that the 302 redirect loop originates directly from Frappe, and not from Cloudflare.

[jeslinmx]

Strange. After getting some sleep and doing further testing, I am no longer getting the redirect loop. Instead, I get the following error:

Traceback (most recent call last):
  File "apps/frappe/frappe/app.py", line 102, in application
    validate_auth()
  File "apps/frappe/frappe/auth.py", line 620, in validate_auth
    validate_auth_via_hooks()
  File "apps/frappe/frappe/auth.py", line 718, in validate_auth_via_hooks
    frappe.get_attr(auth_hook)()
  File "apps/jwt_auth/jwt_auth/auth.py", line 227, in validate_auth
    SessionJWTAuth().validate_auth()
  File "apps/jwt_auth/jwt_auth/auth.py", line 54, in validate_auth
    self.auth()
  File "apps/jwt_auth/jwt_auth/auth.py", line 46, in auth
    self.register_user(user_email)
  File "apps/jwt_auth/jwt_auth/auth.py", line 157, in register_user
    contact.save(ignore_permissions=True)
  File "apps/frappe/frappe/model/document.py", line 378, in save
    return self._save(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "apps/frappe/frappe/model/document.py", line 408, in _save
    self.check_if_latest()
  File "apps/frappe/frappe/model/document.py", line 863, in check_if_latest
    frappe.msgprint(
  File "apps/frappe/frappe/__init__.py", line 574, in msgprint
    _raise_exception()
  File "apps/frappe/frappe/__init__.py", line 525, in _raise_exception
    raise exc
frappe.exceptions.TimestampMismatchError: Error: Document has been modified after you have opened it (2025-06-23 15:05:27.091044, 2025-06-23 15:05:27.222621). Please refresh to get the latest document.

(to clarify, this is with JWT user auth enabled, new user creation enabled, and regardless of whether override Frappe login is enabled)

Upon refreshing the page, I am sent to the Frappe homepage, authenticated as the newly created user, but my Full Name is set to [Change Me] with no ability to actually change it anymore, since the user has been fully created.

---

I am temporarily putting integration of this app into my instance on hold while we work out how to have this working smoothly for my users, but I thought I'd add in a few more of my observations/questions here before I forget.

• If Override Frappe login is set, how can one log into accounts with username and password? Especially the Administrator account (which I have found cannot be entered with JWT, even when the email matches the claim in the JWT)
• If the logout link does not permit the current site in its CORS policy (which would be the case if using a third party OIDC provider such as CF Access), logging out only works on the Frappe homepage, since there the logout button is simply a link to the logout URL. Elsewhere (such as in ERPNext), the logout is triggered by XHR, which fails.
• The logout link doesn't appear to clear the SID cookie, so if in the same session I authenticate to my IdP as another user, on ERPNext I am still logged in as the previous user, even though the JWT is for a different user. I must manually delete the SID cookie for Frappe to register that I am authenticated as someone else.

[batonac]

I will work on this more at the beginning of next month. One quick note: I was hoping to force authentication through Cloudflare Access voluntarily on the Frappe side, but that didn't seem to be possible, in my testing, unless authenticated access was forced via a Cloudflare Zero Trust Application Policy (https://one.dash.cloudflare.com/<your id>/access/apps). This effectively disabled Administrator authentication, as you noted. That's not a problem for me since I can still run Administrator functions via the bench console, but it would be nice to find a solution.